For cyber-terrorists: 'There's no firewall for stupidity'

Share this story

There's a war being fought every second, right under our noses and it effects everyone. It doesn't involve any bombs or bloodshed -- the targets are services we rely on daily that could virtually disappear with just a few key strokes.

Security experts say it's not a matter of "if" but "when" a cyber-terrorist attack or intrusion will take place on our critical infrastructure and the Puget Sound is a prime target.

The Obama Administration released an unclassified alert regarding a cyber-attack last week, warning companies and local governments that handle critical infrastructure of a possible intrusion, even naming China and Iran as possibly perpetrators.

"You have some of the best hi-tech companies in the world in the Puget Sound area," says Howard Schmidt, the former Cyber Security Coordinator for the Obama Administration. "You have some of the better Cloud services then anywhere in the world here in the Puget Sound, you have some of the best military operations here, all concentrated here in the area and a population that supports it."

The former head of security of Microsoft now consults foreign governments and Fortune 500 companies a with former Department of Homeland Security Secretary Tom Ridge on global cyber threats.

"If you could actually look around the country and made a thermal map of all these things coming together, we're one of those really bright spots that really make us a good solid target," says Schmidt.

Cites and companies tend to shy away from releasing numbers about attacks on computer systems that control critical infrastructure, but the computer security experts for the City of Seattle say attempts to break into the city's networks are constant.

"In a typical week here, we get between 30,000-60,000 password guesses, our websites are attacked every four minutes and we get about 3-5 compromised desktops every day," says Mike Hamilton, Chief Information Security Officer for the City of Seattle. "There are more bad guys and they're better resourced than there are of us."

Our region depends on computer networks to deliver oil and gas, manage our transportation, purify our water and keep the electricity flowing to our homes. Hamilton says it's too hard for cyber terrorists to take control of the entire U.S. power grid, rather they could generate regional blackouts by disrupting the buying and selling of power that computers control.

One of the biggest targets for a cyber-attacker targeting critical infrastructure would be disrupting operations at a waste water treatment plant.

"If we lost transportation management that would be really annoying, but if we lost our ability to conduct sewage waste processing that would be way more than annoying in about 48 hours," says Hamilton.

Protecting internet and telecommunications is key. Hamilton says disrupting networks operating the Westin Building and Fisher Plaza would be bad because the facilities touch the backbone of the internet.

"The loss of one of those would have a severe impact on internet connectivity for the entire West Coast," says Hamilton.

The notion that computer geeks armed with keyboards and computers facing off in cyberspace in an code war is more Hollywood than reality. Hackers have shut down networks with a massive denial of service attack on a server. Such attacks rendered a website or companies network useless because the servers can't handle the volume of requests coming in.

But experts says hackers are not doing these frontal assaults, rather they are focusing in on the weakest link in the security chain -- people.

"To really gain access to the critical resources in a network you need to plant something inside that network," says Hamilton. "The best way to do that is through the unwitting collusion of the person sitting at the computer."

An effective technique has been "spear phishing." A hacker specifically targets an individual by sending them email that appears to be from a trusted source of the recipient. There's usually an attachment with that email. When opened, the malware inside that attachment is quietly launched into the user's computer without the user's knowledge.

If computer's anti-virus software is not up to date or more frighteningly, the malware is too new for anti-virus software to detected, the malware could operate for a long time, gathering key stroke information that would eventually be sent to the hacker via the internet. The hacker could then use the information to find another user to spear phish to find a computer that's part of the command and control of a critical piece of infrastructure.

"The vast majority of what we see today is theft of intellectual property," says Schmidt. "We see people breaking into systems and not using necessarily sophisticated technology methods."

It may sound ridiculous at first, but hackers have found success using a low tech method of getting spyware into a target's computer. The attacker simply tosses USB thumb drives loaded with spyware into the parking lot or entrance of a targeted location relying on the curiosity of an employee who picks up the thumb drive, pops into their computer to see what's on it.

If anti-virus doesn't detect the spyware, it's launched automatically into the user's computer and possibly into a network to go about its nefarious duties.

"There's no firewall for stupidity," says Hamilton.

Schmidt says companies and governments need to train their staff on safe computing practices. He says it's something that needs to be done more than once a year.

"The major part of successful intrusions we see is just the fact of poor password management," says Schmidt. He's in favor of dropping password protection of critical systems and replace it with two factor authentication. "Something you have and something you know," say Schmidt.

It's the unknown spyware lurking in the systems that control our critical infrastructure that keeps Schmidt up at night, what he calls 'zero day vulnerability".

"That somebody in the future at some point can flip a switch and lights go out," says Schmidt.